LONDON -- Infosecurity Europe 2014 -- System security is getting better, so attackers are going after a softer target -- people.
Security awareness was a key theme at the Infosecurity conference last week, as speakers and other experts offered their views on how to improve training and education programs.
"What's happened over the last 10 years is the operating system that the adversary is going after has really changed," Eric Cole, chief scientist at Secure Anchor Consulting and a SANS Institute instructor, said Thursday during his induction ceremony into the Infosecurity Europe Hall Of Fame. "If you put enough energy and effort in, you can secure those operating systems -- lock them down, turn off services, patch them -- and we've done a good job of that.
"Now, what operating system is the adversary targeting?" he said. "It's very hard to secure... and hard to patch."
That predicament has led some information security experts, such as Bruce Schneier, to propose more drastic measures, arguing that security training simply isn't salient for nonsecurity experts, because they won't ever really learn. From a big-picture standpoint, furthermore, Schneier has argued that, if engineers designed their software better, people wouldn't have to learn.
Until that happens, information security professionals are left with a triage situation, as many speakers at last week's conference readily acknowledged. To help, they offered the following six strategies:
1. Seek Twitter-like brevity.
Participants from both sides of the pond agreed that attempting to educate users, and to keep them extra vigilant about the types of social engineering attacks that continue to compromise so many organizations, remains challenging. For starters, Andy Jones, CISO of the global container company Maersk Line, said during a panel discussion that effective security messages must find ways to be both direct and brief. "I want my message [to be relayed] in 140 characters. I want a Twitter-type awareness."
2. Unleash the gnomes.
One creative -- and reportedly successful -- user-education approach practiced by Lee Barney, head of information security for Home Retail Group, a leading UK home and merchandising retailer, has been to dress up his information security staffers as gnomes.
Barney said these security gnomes are then placed at strategic locations around the office and used to deliver this line: "Hi, we're from security, talk to us." Cue a training opportunity -- for example, how to spot and avoid phishing attacks. After trying this approach, Barney said, his company launched a fake phishing attack spot test, and no one fell for it. "We had a 100% success rate," he said. "Not right away, but a few weeks later."
3. Offer drop-in home security clinics.
On the user-education front, Michael Colao, head of security for the investment firm AXA UK, recommended during a panel discussion that information security departments hold regular sessions for employees to pose personal information security questions, such as those pertaining to home security or "parental controls that your 12-year-old can't get past in four minutes."
The bigger benefit, he said, is that this type of computer security transfers to people's day jobs. "If you are talking about the steps you have to take to protect your home computer, it's weird, but it's actually quite similar to the steps you have to take to protect your work computer."
4. Play big brother to developers.
Security training can also be supplied to in-house IT staff, of course. For example, it can help developers write more secure code. According to research recently conducted by White Hat, however, inside organizations that emphasized secure coding practices, training alone didn't result in web application developers writing more secure code. Developers needed to know that their managers would also be reviewing the code they wrote, White Hat founder and interim CEO Jeremiah Grossman said in an interview at the conference.
"It came down to accountability. If the developers were accountable for the code they wrote, then they'd get something out of training," he said.
5. Rethink business questions.
Per Schneier's comment, the best approach to security awareness and training is to design security systems that don't require users to think about security. To help make that happen, AXA UK's Colao said, information security teams must take security-related requests from the business side of the house and then extrapolate the question that would have asked if they'd been security experts.
For example, at an investment bank for which he used to provide security, and which had a small number of customers, the business team asked the security group what password policies it should use to allow partners to log into the investment bank's systems. Taking a step back, Colao said, his group proposed and then implemented a system based on digital certificates.
What was the benefit? "I went once to one of our partners, and there on the wall were all of the main investment banks, and the company's passwords [for logging on to each one], except for ours, because they had a certificate instead," he said. "But if we'd answered the question that the business had originally asked... we would never have gotten there."
6. Lock down Office.
The reality today is that the security of so many systems still succeeds or fails based on user decisions, and users won't always make the right decision. As a result, businesses must look beyond training as a be-all and end-all, said Infosecurity Europe inductee Cole. "We have to do a better job of not allowing the adversary attack effort to make it directly to the person," for example by blocking today's four most prevalent phishing attack strategies: "executable attacks sent to emails, macros in Office documents, active scripting, and HTML content" in emails.
Thankfully, blocking those types of attacks doesn't mean preventing users from employing email or Microsoft Office altogether. Rather, it involves excising specific types of high-risk functionality. "How many of you need that asset from the Internet in order to run your organization?" he asked, referring to the four types of functionality noted above. "It's typically 1%. So if 1% of us need that, and that's the main vector that adversaries are targeting, then why aren't we shutting it down?"